summaryrefslogtreecommitdiffstats
path: root/src/knot/dnssec/key-events.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/knot/dnssec/key-events.c')
-rw-r--r--src/knot/dnssec/key-events.c30
1 files changed, 29 insertions, 1 deletions
diff --git a/src/knot/dnssec/key-events.c b/src/knot/dnssec/key-events.c
index ffd2ce8..ace48d5 100644
--- a/src/knot/dnssec/key-events.c
+++ b/src/knot/dnssec/key-events.c
@@ -293,7 +293,8 @@ typedef enum {
typedef struct {
roll_action_type_t type;
- bool ksk;
+ bool ksk; // These flags seem redundant, but are needed to avoid ASAN
+ bool zsk; // heap-use-after-free if the key is accessed directly during key generation.
knot_time_t time;
knot_kasp_key_t *key;
uint16_t ready_keytag;
@@ -525,6 +526,7 @@ static roll_action_t next_action(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flag
if (knot_time_cmp(keytime, res.time) < 0) {
res.key = key;
res.ksk = key->is_ksk;
+ res.zsk = key->is_zsk;
res.time = keytime;
res.type = restype;
}
@@ -679,6 +681,28 @@ static int exec_really_remove(kdnssec_ctx_t *ctx, knot_kasp_key_t *key)
return kdnssec_delete_key(ctx, key);
}
+static void log_next_event(kdnssec_ctx_t *ctx, roll_action_t *next)
+{
+ char time_str[64] = "";
+ struct tm time_gm = { 0 };
+ time_t nt = next->time;
+ localtime_r(&nt, &time_gm);
+ strftime(time_str, sizeof(time_str), KNOT_LOG_TIME_FORMAT, &time_gm);
+
+ if (next->type == GENERATE) {
+ const char *key_type = ctx->policy->single_type_signing ?
+ "CSK" : (next->ksk ? "KSK" : "ZSK");
+ log_zone_info(ctx->zone->dname, "DNSSEC, next key action, %s, generate at %s",
+ key_type, time_str);
+ } else {
+ const char *key_type = next->ksk ?
+ (next->zsk ? "CSK" : "KSK") : "ZSK";
+ log_zone_info(ctx->zone->dname, "DNSSEC, next key action, %s tag %hu, %s at %s",
+ key_type, dnssec_key_get_keytag(next->key->key),
+ roll_action_name(next->type), time_str);
+ }
+}
+
int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
zone_sign_reschedule_t *reschedule)
{
@@ -848,6 +872,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags,
return knot_dnssec_key_rollover(ctx, flags, reschedule);
}
+ if (ret == KNOT_EOK && next.time > 0) {
+ log_next_event(ctx, &next);
+ }
+
if (ret == KNOT_EOK && reschedule->keys_changed) {
ret = kdnssec_ctx_commit(ctx);
if (ret == KNOT_EOK && (ctx->dbus_event & DBUS_EVENT_KEYS_UPDATED)) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 12:40:32 +0000